babadeda | 19415b0f141eba1d036f14bc99b970db90e5f29b2656f69a56980b19214994b2

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b6a482264775b5ab5b792c89f4cb272.exe
Size

6.9MB
MD5

1b6a482264775b5ab5b792c89f4cb272
SHA1

c265d55a702cb0323f7347bea2915e8c63d89983
SHA256

19415b0f141eba1d036f14bc99b970db90e5f29b2656f69a56980b19214994b2
SHA512

5afaf1a5671962f752a28972d8b8fc348c1c1cc126d3ced48a0647eb37fb83d0910d7f4cacd31e17e9fb6a9dede8554be28fb48de275251440e30fe3b8a67113
SSDEEP

196608:kPGZKb8Ehfrm4JYKtjADXsuIwDO+tkw06y2:VoJrzaKtjADVIUdR

Score

10^/10

babadeda vidar 953 crypter discovery loader stealer upx

Malware Config

Extracted

Family

vidar

Version

39.8

Botnet

953

https://xeronxikxxx.tumblr.com/

Attributes

profile_id
953

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Sentry Framework\ui.xml	family_babadeda
behavioral1/memory/1224-554-0x00000000027B0000-0x00000000057B0000-memory.dmp	family_babadeda
behavioral1/memory/1224-598-0x00000000027B0000-0x00000000057B0000-memory.dmp	family_babadeda

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Sentry Framework\ui.xml	family_vidar
behavioral1/memory/1224-552-0x0000000000400000-0x0000000000B07000-memory.dmp	family_vidar
behavioral1/memory/1224-555-0x0000000000400000-0x0000000000B07000-memory.dmp	family_vidar

Executes dropped EXE 2 IoCs

Processes:

irsetup.exesmartmap.exe

pid process

2504 irsetup.exe
1224 smartmap.exe

pid	process
2504	irsetup.exe
1224	smartmap.exe

Loads dropped DLL 11 IoCs

Processes:

1b6a482264775b5ab5b792c89f4cb272.exeirsetup.exesmartmap.exe

pid	process
3036	1b6a482264775b5ab5b792c89f4cb272.exe
3036	1b6a482264775b5ab5b792c89f4cb272.exe
3036	1b6a482264775b5ab5b792c89f4cb272.exe
3036	1b6a482264775b5ab5b792c89f4cb272.exe
2504	irsetup.exe
2504	irsetup.exe
2504	irsetup.exe
2504	irsetup.exe
2504	irsetup.exe
2504	irsetup.exe
1224	smartmap.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe	upx
behavioral1/memory/3036-6-0x0000000002F10000-0x00000000032F8000-memory.dmp	upx
behavioral1/memory/2504-17-0x0000000001240000-0x0000000001628000-memory.dmp	upx
behavioral1/memory/2504-548-0x0000000001240000-0x0000000001628000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

smartmap.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	smartmap.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	smartmap.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	smartmap.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

irsetup.exe

pid process

2504 irsetup.exe
2504 irsetup.exe

pid	process
2504	irsetup.exe
2504	irsetup.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1b6a482264775b5ab5b792c89f4cb272.exeirsetup.exe

description	pid	process	target process
PID 3036 wrote to memory of 2504	3036	1b6a482264775b5ab5b792c89f4cb272.exe	irsetup.exe
PID 3036 wrote to memory of 2504	3036	1b6a482264775b5ab5b792c89f4cb272.exe	irsetup.exe
PID 3036 wrote to memory of 2504	3036	1b6a482264775b5ab5b792c89f4cb272.exe	irsetup.exe
PID 3036 wrote to memory of 2504	3036	1b6a482264775b5ab5b792c89f4cb272.exe	irsetup.exe
PID 3036 wrote to memory of 2504	3036	1b6a482264775b5ab5b792c89f4cb272.exe	irsetup.exe
PID 3036 wrote to memory of 2504	3036	1b6a482264775b5ab5b792c89f4cb272.exe	irsetup.exe
PID 3036 wrote to memory of 2504	3036	1b6a482264775b5ab5b792c89f4cb272.exe	irsetup.exe
PID 2504 wrote to memory of 1224	2504	irsetup.exe	smartmap.exe
PID 2504 wrote to memory of 1224	2504	irsetup.exe	smartmap.exe
PID 2504 wrote to memory of 1224	2504	irsetup.exe	smartmap.exe
PID 2504 wrote to memory of 1224	2504	irsetup.exe	smartmap.exe

C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe
"C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1798690 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1b6a482264775b5ab5b792c89f4cb272.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3427588347-1492276948-3422228430-1000"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
"C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1224

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB35A.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB3BA.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
Filesize
326KB

MD5
e7a789232ef503dcb4929791673009a3

SHA1
8bc28bce4c9d8b4a6e360100441ba54a878de4c1

SHA256
89daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1

SHA512
6439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\COPYING.txt
Filesize
3KB

MD5
cedef94f5701b0f14e5d358caf023480

SHA1
fc717140a9dd390068bad40a70f55e502f7c66e8

SHA256
54327b2950ffac8999f869515d44b8c6fbbe6a3764c7573518f920b8988cbf9a

SHA512
bd22f9e0f008468232529c2da1639efaddca041e61e511ea0bad2a2b7ae43c43513ea7caf5371f7f0cc88bce43ed2f8ff44f053db381545398f9e03660c453f5

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\en\Phototheca EULA.rtf
Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\Lang\fr\searchhelp.rtf
Filesize
56KB

MD5
520077fd6d03c64c735258d4d87921d8

SHA1
1b8d82d7da2d85527ce91e72f179fb8a418d47de

SHA256
6faf5a4f8a729dbdc4082a7f33ffde3e72ef34acbf0875932b3e4427bfd9b598

SHA512
8ccd614aaf7cee74a0ed8b34267db004f240ed51d41dd80caeef12fe29a785d4e109b2526acf4c04ff30edc025c1e4afd7e9e11b32ca08ecc3ced7435514d4de

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\RELEASE_NOTES.html
Filesize
87KB

MD5
77db64e395175649374d32e386fd1033

SHA1
1e26bbd5055d3717e7f57219f2b7c1a305f84678

SHA256
7d841eedf45ff8a6e61e9e3bd8e03414fff2dd650eef9b8d5b9102949e2fa163

SHA512
238ef2258060e4ff43184dfc42d523dfed7301f5f3bef4a217827059da70ec59ec173d1550b633156824c010970f95574dd62f91e72c139bd40c083527b124a0

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\Uninstall\uninstall.xml
Filesize
40KB

MD5
fc1038543e8e17a57d1780c715cbd32b

SHA1
474f18e8d95d0b774248c8af312dc648daea1a3a

SHA256
e8d6412d8b4e8b2b84f8e72799a2ddfa18358967edf38458b216e8c6b56a6005

SHA512
dd1421cc6e6308ffee0de19dcb8d76405d9b4fbde9fe487d884e012aab275627b57fec87f579ec60552c445536e6c633a56f788ab1d99ba34e6eac4e7738a746

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\Uninstall\uninstall.xml
Filesize
47KB

MD5
b35a38d9f72cc3950e780d9553e43500

SHA1
b168fb0f7f83fce470e0689f7f4ebe9c27b32cc6

SHA256
670cb3aea6e0a7e7a01311fed78461b115540c6856761cf2672eacc1f32a9674

SHA512
bd4bce7a08306aa5d1b32d33d5c421dc51db98175c1922fde82030a730f68ff75e79993d066d29ace63badd6428c46f82539ad0accd374f7f8988baa532848a3

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\librsvg-2-1.dll
Filesize
4.1MB

MD5
52e8bac9e1504c55e01e8aa8c2104413

SHA1
fb52993c48d90e92322c3065af529125a5b4d790

SHA256
1b6af23ad3b5c0961790a569a70531b8cfda7e7994f63303182c1e530fa10397

SHA512
43d21d41ed27cceda0741b7f9ada0f202f85441c9d1a6d544f23e296c7c462e8edad57ad74b6349eee31a51f9db543d0fea4605e0483e7fec3ab5cabdb05ded4

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\smartmap.exe
Filesize
6.7MB

MD5
283611ce7db656828b2aa850d80e4d52

SHA1
c536707ed3fbac4a0b8b95608fd119ca945024a7

SHA256
d63b56356c6b5bd71b479bdf020a23c9f2c9853de96296eade1768fcac02b278

SHA512
c7eaff35ee6b931d7a480de149fb5a6bf5f4f2c1d7988a60ba1e955a9fecca35a1406eaf95ef7d346adb333165293e0a43b2b815ee27ad981e2361da8bb82392

Download Submit
C:\Users\Admin\AppData\Roaming\Sentry Framework\ui.xml
Filesize
1.4MB

MD5
1685e7d5daf2431688974106d7ec55c8

SHA1
5958995da6f985493558a15c916d72b1ea2184d4

SHA256
7154d9211f795054f7a60f072d7d22c4cff87e49d8b724a1897952f39d728f19

SHA512
2ee37c33fc2975e21ab27e84f041582663dc131de0fbaf3fc6387c97f34e81d1e3fc7152bbd0e11269e74a135f45a32b265fbf6fda198654d409e0c864cc24d1

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
Filesize
1.3MB

MD5
ac23d03c4b8d531016a3c1ebfa2bc91c

SHA1
11383627d5515ed2257f594db7fbce3a4b9106f8

SHA256
0ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06

SHA512
bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1

Download Submit
memory/1224-555-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/1224-552-0x0000000000400000-0x0000000000B07000-memory.dmp

Filesize
7.0MB

Download
memory/1224-554-0x00000000027B0000-0x00000000057B0000-memory.dmp

Filesize
48.0MB

Download
memory/1224-598-0x00000000027B0000-0x00000000057B0000-memory.dmp

Filesize
48.0MB

Download
memory/2504-531-0x0000000000C30000-0x0000000000C40000-memory.dmp

Filesize
64KB

Download
memory/2504-548-0x0000000001240000-0x0000000001628000-memory.dmp

Filesize
3.9MB

Download
memory/2504-17-0x0000000001240000-0x0000000001628000-memory.dmp

Filesize
3.9MB

Download
memory/3036-15-0x0000000002F10000-0x00000000032F8000-memory.dmp

Filesize
3.9MB

Download
memory/3036-6-0x0000000002F10000-0x00000000032F8000-memory.dmp

Filesize
3.9MB

Download